diff options
author | Stan Hu <stanhu@gmail.com> | 2019-07-16 00:40:09 +0300 |
---|---|---|
committer | Stan Hu <stanhu@gmail.com> | 2019-07-16 00:40:09 +0300 |
commit | fea51969fbc5fcb843b9cbb40e8a13faf117d032 (patch) | |
tree | a94a1db58fffe050be5115f70c68b362b6035cce /doc | |
parent | b46cf4290b8efa5e17ea741d1a093042a8d5475a (diff) | |
parent | 97432c9366b433aafae67706c9efb5536e68e7f1 (diff) |
Merge branch '64407-vfazio-quirk-omniauth-strategies-openidconnect' into 'master'
Convert client_auth_method to a Symbol for quirked OmniAuth providers
Closes #64407
See merge request gitlab-org/gitlab-ce!30683
Diffstat (limited to 'doc')
-rw-r--r-- | doc/administration/auth/oidc.md | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/doc/administration/auth/oidc.md b/doc/administration/auth/oidc.md index 454da8c2866..758501629af 100644 --- a/doc/administration/auth/oidc.md +++ b/doc/administration/auth/oidc.md @@ -81,6 +81,13 @@ The OpenID Connect will provide you with a client details and secret for you to - `<your_oidc_url>` (optional) is the URL that points to the OpenID Connect provider. For example, `https://example.com/auth/realms/your-realm`. If this value is not provided, the URL is constructed from the `client_options` in the following format: `<client_options.scheme>://<client_options.host>:<client_options.port>`. - If `discovery` is set to `true`, the OpenID Connect provider will try to auto discover the client options using `<your_oidc_url>/.well-known/openid-configuration`. Defaults to `false`. + - `client_auth_method` (optional) specifies the method used for authenticating the client with the OpenID Connect provider. + - Supported values are: + - `basic` - HTTP Basic Authentication + - `jwt_bearer` - JWT based authentication (private key and client secret signing) + - `mtls` - Mutual TLS or X.509 certificate validation + - Any other value will POST the client id and secret in the request body + - If not specified, defaults to `basic`. - `<uid_field>` (optional) is the field name from the `user_info` details that will be used as `uid` value. For example, `preferred_username`. If this value is not provided or the field with the configured value is missing from the `user_info` details, the `uid` will use the `sub` field. - `client_options` are the OpenID Connect client-specific options. Specifically: @@ -155,9 +162,9 @@ If you're having trouble, here are some tips: `https://accounts.google.com/.well-known/openid-configuration`. 1. The OpenID Connect client uses HTTP Basic Authentication to send the - OAuth2 access token. For example, if you are seeing 401 errors upon - retrieving the `userinfo` endpoint, you may want to check your OpenID - Web server configuration. For example, for + OAuth2 access token if `client_auth_method` is not defined or if set to `basic`. + If you are seeing 401 errors upon retrieving the `userinfo` endpoint, you may + want to check your OpenID Web server configuration. For example, for [oauth2-server-php](https://github.com/bshaffer/oauth2-server-php), you may need to [add a configuration parameter to Apache](https://github.com/bshaffer/oauth2-server-php/issues/926#issuecomment-387502778). |